Digital substations, which replace traditional analog infrastructure, are essential to power grid operation but are facing growing vulnerability to cyber attacks. Existing anomaly detection in substation communication requires labeled datasets for supervised training and fails to incorporate temporal characteristics, which cannot detect unknown persistent attacks. Setting arbitrary thresholds for outlier detection leads to high false positives and low detection rates. This paper addresses cyber security challenges related to IEC 61850 Generic Object Oriented Substation Event (GOOSE) protocol within digital substations. We propose a novel unsupervised Transformer-based Distribution Fitting Anomaly Detection (TF-DiFAD) method for time series GOOSE frames with a robust thresholding technique. Deep packet inspection is used to extract features from GOOSE frames, which are processed through the proposed TF-DiFAD model. TF-DiFAD combines the deep learning transformer model with statistical distribution fitting techniques to accurately detect anomalous GOOSE frames. Specifically, reconstruction errors are generated using a state-of-the-art transformer model. A novel model-agnostic solution is applied for setting anomaly thresholds and calculating anomaly probabilities. The Kolmogorov-Smirnov test is employed to select the best-fitting distribution for these errors. TF-DiFAD is benchmarked against other state-of-the-art models using two distinct test datasets, demonstrating superior performance. The results indicate that TF-DiFAD detects anomalies with Receiver Operating Characteristics Area Under Curve (ROC AUC) scores of 96.84% and 95.73% respectively for both datasets.

Cyber attacks targeting Intelligent Electronic Devices (IEDs) in digital substations can disrupt power system operation, causing equipment damage, instability, cascading failures, and even a blackout. Cyber–Physical Power System (CPPS) datasets are critically needed to develop novel methods for the detection and prevention of cyber attacks on digital substations. In this paper, a novel CPPS dataset is proposed for cyber security of digital substations, including real-time power system measurements, i.e., electromagnetic transient three-phase voltages and currents, communication network traffic, and virtual IED resource metrics. Various scenarios are simulated on an IEC 61850-compliant testbed consisting of Real-Time Digital Simulator (RTDS) and physical and virtual IEDs in hardware-in-the-loop configuration. The dataset contains different operating conditions and cyber attack scenarios, i.e., normal operation, single-phase-to-ground fault, network reconnaissance, resource exhaustion, and IEC 61850 Generic Object-Oriented Substation Event (GOOSE) and Sampled Values (SV) injection attacks. This work aims to provide the research community with a comprehensive and high-fidelity dataset to be used for the design and testing of novel methodologies to increase the cyber security of power grids.

The increasing digitalization of power grids has introduced cyber security vulnerabilities. One of the vulnerabilities is related to the IEC 61850 Generic Object Oriented Substation Event (GOOSE) protocol for time-critical communication between Intelligent Electronic Devices (IEDs). This protocol lacks built-in message integrity and authentication mechanisms, making it susceptible to cyber attacks, e.g., spoofing. To address these vulnerabilities, IEC 62351-6:2020 recommends the usage of a Hash-based Message Authentication Code (HMAC). However, implementing this security measure in existing brownfield digital substations is challenging due to the lack of compatible commercial devices and is economically expensive. Therefore, this research proposes and evaluates a cost-effective cyber security enhancement using commodity hardware, e.g., Raspberry Pi, to implement HMAC-based message authentication for ensuring GOOSE message integrity and authentication in brownfield digital substations with respect to stringent time requirements for the operation of protective relays. The proposed solution ensures message integrity and authentication while maintaining compliance with standard requirements. Validation is performed using real commercial IEDs in a real-time Hardware-in-the-Loop (HIL) architecture, demonstrating that the solution meets substation time requirements. This approach provides a feasible and immediate cyber security enhancement for brownfield digital substations without requiring significant infrastructure changes.

Cyber attacks on power grids are imminent and potentially have a severe impact, as evidenced by the cyber attacks in Ukraine in 2015, 2016, and 2022. In response to this challenge, machine learning-based Intrusion Detection Systems (IDS) have become more prevalent as a potential mitigation owing to their alignment with the latest advances in artificial intelligence. However, existing anomaly detection methods for power grid Operational Technology (OT) are often inadequate, as they primarily focus on detecting power grid physical anomalies at the later attack stages and suffer from the scarcity of available data for supervised machine learning. To address these limitations, we propose a novel semi-supervised IDS specifically for digital substations of the power system. The proposed detection method identifies the distinctive distance similarity of digital substation OT communication traffic using a Convolutional Neural Network and Chebyshev distance of packet payloads, and Kolmogorov-Smirnov of packets’ interarrival time using Fast Fourier Transform amplitude. Subsequently, these traffic features are combined into a vector and classified using a novel hybrid semi-supervised Self-Organizing Map (SOM) and Density-Based Spatial Clustering of Applications with Noise (DBSCAN). Results indicate that the proposed method can identify zero-day attacks and achieve accuracy and F1 above 95%.

The increasing digitalization of Cyber-Physical Power Systems (CPPS) has enhanced power system operation and control but has also expanded the attack surface for cyber threats. Detection of early-stage attacks such as reconnaissance and Denial-of-Service (DoS) is critical to prevent power system-wide disruptions. Centralized Machine Learning (ML)-based techniques have been proposed for detecting cyber attacks. However, they struggle to ensure data privacy. Federated Learning (FL) can address this issue through collaborative model training without raw data sharing. Yet, FL’s performance degrades under non-Independent and Identically Distributed (non-IID) data, a common scenario in real-world CPPS environments. In this paper, we propose a cluster-based FL method using Bidirectional Long Short-Term Memory (BiLSTM) for attack detection at the early stages of the cyber kill chain. It uses unsupervised clustering of client model updates for aggregation robustness and model generalization across heterogeneous clients. By grouping clients based on similarity in model updates, our method mitigates the adverse effects of data heterogeneity while preserving data privacy. The UNSW-NB15 dataset is used for distributed training under non-IID conditions and evaluation of the proposed method. Experimental results demonstrate that our cluster-based FL method achieves over 95% detection accuracy, proving its effectiveness in distributed cyber attacks detection in power systems.

Power grids are undergoing a fast-paced process of digitalization for enhanced monitoring and control capabilities and grid intelligence. However, the increased integration of digital technologies, such as the next generation of operational technologies (OTs) and digital substations, implies a new risk as information technology (IT)-OT systems are vulnerable to cyberattacks. Furthermore, the combination of heterogeneous, co-existing smart and legacy technologies generates significant vulnerabilities and security challenges. Examples of cybersecurity incidents related to power grids already exist around the world. On December 23, 2015, cyberattacks were conducted on the power grid in Ukraine that resulted in power outages, which affected 225,000 customers. More sophisticated cyberattacks on the Ukrainian power grid followed on December 17, 2016, resulting in a power outage in the distribution network where 200 MW of load was unsupplied. The complexity of cyberattacks on power systems is likely to increase. This chapter provides the state-of-the-art and essential knowledge of threats and cyberattacks on power systems. This chapter reviews major cyberattacks on power grids and industrial control systems. A detailed taxonomy of cyberattacks is provided. Power grid vulnerability to six main types of cyberattacks is discussed, that is, phishing, malware, network-based attacks, man-in-the-middle attacks, host-based attacks, and denial of service. The impact of cyberattacks on grid operation is analyzed in terms of loss of load, cascading effects, and equipment damage. A case study of a cyberattack scenario and simulation results are provided.

This paper elaborates on an extensive security framework specifically designed for energy management systems (EMSs), which effectively tackles the dynamic environment of cybersecurity vulnerabilities and/or system problems (SPs), accomplished through the incorporation of novel methodologies. A comprehensive multi-point attack/error model is initially proposed to systematically identify vulnerabilities throughout the entire EMS data processing pipeline, including post state estimation (SE) stealth attacks, EMS database manipulation, and human-machine interface (HMI) display corruption according to the real-time database (RTDB) storage. This framework acknowledges the interconnected nature of modern attack vectors, which utilize various phases of supervisory control and data acquisition (SCADA) data flow. Then, generative artificial intelligence (GenAI)-based anomaly detection systems (ADSs) for EMSs are proposed for the first time in the power system domain to handle the scenarios. Further, a set-of-mark generative intelligence (SoM-GI) framework, which leverages multimodal analysis by integrating visual markers with rules considering the GenAI capabilities, is suggested to overcome inherent spatial reasoning limitations. The SoM-GI methodology employs systematic visual indicators to enable accurate interpretation of segmented HMI displays and detect visual anomalies that numerical methods fail to identify. Validation on the IEEE 14-Bus system shows the framework’s effectiveness across scenarios, while visual analysis identifies inconsistencies. This integrated approach combines numerical analysis with visual pattern recognition and linguistic rules to protect against cyber threats and system errors.

Virtualization in digital substations is a rising trend in the power sector, opening up interesting research avenues. The virtualization of intelligent electronic devices (IEDs) is thought to enable more flexible and agile cybersecurity software updates and patching processes while seamlessly integrating with current physical IEDs. However, no studies have yet considered a general cybersecurity assessment for such novel hybrid systems. To fill this gap, a systematic cybersecurity assessment of a digital substation composed of hybrid (virtual and physical) IEDs is presented in this paper. A testbed was developed to assess the different attack vectors with a focus on targeting virtual machines (resource exhaustion) and injection attacks on IEC 61850-compliant communication streams. A hybrid protection selectivity use case was successfully demonstrated with multiple targeted cyber attacks on the testbed where the non-attacked IED successfully cleared the grid fault. The attacks’ impacts ranged from minor to major effects on the IEDs’ tripping signals (and eventually circuit breaker actions) including forced signal delays, signal latching, and signal drops. The results of this study highlight the importance of providing a proper cybersecurity by design strategy for integrating hybrid substation systems with virtualization technologies.

Digitalization is paving the way toward enhanced power grid operational capabilities and intelligence. The increased digitalization, however, also implies a greater risk of cyber vulnerabilities and threats. Therefore, various power systems facets such as transmission and distribution systems, digital substations, control centers, and wide-area communication networks are vulnerable to cyber-attacks. The most notable cyber-attacks on power grids are the twin attacks on the Ukrainian power grid in 2015 and 2016. These incidents clearly highlighted that cyber-attacks on power grids are an imminent threat that needs to be addressed. Keeping this in mind, this chapter provides essential knowledge of cyber-attack mitigation for cyber-physical power systems, i.e., secure communication protocols for operational technologies, penetration testing using cyber ranges and cyber-physical co-simulation, security controls, and intrusion detection and prevention systems. Among the wide-scope mitigation, artificial intelligence is highlighted as an emerging solution. This chapter presents how hybrid deep learning based on graph convolutional long short-term memory is used for anomaly detection in power system operational technology (OT) networks. Unlike traditional signature and supervised learning-based intrusion detection, the hybrid deep learning anomaly detection utilizes the OT traffic throughput. It takes advantage of the OT traffic’s deterministic and homogenous characteristics to provide a robust and flexible anomaly detection for a wide scope of cyber-attacks. The traffic anomalies are incorporated into an attack graph that aids power system operators identify and localize anomalies of active attacks on power systems in near real time. Cyber-attack case studies and cyber-physical co-simulation results are provided to demonstrate the efficiency of hybrid deep learning for anomaly detection.

The Digital Twins (DT) have emerged as the technology that provides capabilities to simulate and analyze cyber-physical systems’ behaviors using digital replicas. This is achieved through high-fidelity digital models, bi-directional communication and (near) real-time data exchange between physical real-world systems and DTs. Despite its capabilities of facilitating real-time monitoring, optimization, and predicting system performance, effectively leveraging DT for power system applications requires integrating data from heterogeneous sources and addressing various data related aspects. These include data modeling, exchange and interoperability. One promising concept to address these aspects is that of data federation which promotes interoperability, allowing DTs to operate autonomously, yet interact seamlessly. While various studies in literature have addressed DT applications, technologies, and challenges, a comprehensive review on the data federation aspects within power systems still needs to be investigated. This research seeks to bridge this gap by providing an in-depth review of DT practices in academia and industry, functional and non-functional requirements, and enabling technologies, with emphasis on data federation. Its role in enhancing system-wide interoperability in the power system, along with associated challenges are summarized and discussed.

Mitigation strategies to absorb impacts from extreme events that may trigger cascading outages are crucial for modern power systems, particularly given the increasing penetration of power electronics, thereby enhancing system resilience. This paper presents a comprehensive resilience-centered framework that integrates cyber-physical cascading mitigation through network topology reinforcement and operational strategies, specifically DC segmentation and controlled islanding, respectively. The methodology first identifies AC lines at segmentation boundaries (i.e., those that most frequently contribute to system partitioning) and evaluates the benefits of replacing them with VSC-HVDC links through dynamic cascading analysis and quantification, thereby enabling the asynchronous interconnection of segments. This approach helps confine cascading impacts within segments, significantly reducing the risk of widespread blackouts, especially in renewable-rich power grids with a heightened risk of instability. Next, to enhance operational resilience against cascading failures, controlled islanding is implemented within the DC-segmented system undergoing cascade initiation, effectively further confining cascading stress to a limited area around the origin of the initiating events. Tailored to enhance resilience in hybrid AC/DC power grids against cyber and physical cascade triggering events, the method leverages a cyber-anomaly detection technique to identify elements affected by fabricated protection trip commands and measurement replay attacks, distinguishing cyberattacks from physical disturbances. Implemented in the IEEE 39-bus and 118-bus test systems with dynamic cascading failure modeling that fully captures voltage and frequency transients in system response, the method demonstrates improvements of up to 88 % and 97 % in served demand, respectively, highlighting its effectiveness in mitigating cascading impacts and enhancing system resilience.

As a part of energy transition, the shift from internal combustion engines (ICEs) to electric vehicles (EVs) has accelerated the development of the EV charging infrastructure (EVCI). EVCI rely heavily on information and communication technologies (ICTs) and the Internet of Things (IoT). As a result, the susceptibility to cyber attacks increases. However, although EVCI are strongly intertwined with cyber-physical power systems (CPPSs), the consequences of such a cyber attack on the power grid are not widely researched. In this paper, we present a comprehensive cyber-physical system architecture of the EV charging infrastructure based on the industry practice in The Netherlands, which is applicable to European distribution systems. We present a survey of work on EVCI cyber security and CPPS resilience. We combine unique industrial insights with the academic state-of-the-art. We show that although cyber security of EVCI is researched, the state-of-the-art inadequately covers the consequences for CPPSs, especially distribution networks. We survey the current work on CPPS resilience and conclude that while cyber attacks are often recognized as high impact low probability (HILP) disturbances of CPPSs, the resilience-related research on cyber attacks on EVCI is lacking. Therefore, we present a novel method to model the stochastic EV charging behaviour based on probability density functions (PDFs). We validate the method using PowerFactory models of distribution networks supplied by a Dutch distribution system operator (DSO). We demonstrate the effects of cyber attacks on EVCI on distribution networks voltages. Under the investigated operational scenario, the impact is not significant. However the results do underline the importance of researching cyber attacks on EVCI from a CPPS resilience perspective. Research into future scenarios of energy transition is essential for future resilient operation of power grids.

Today's critical infrastructure systems are more interconnected and dependent on the electric power grid. This interdependence means that disruptions in one system can have far-reaching consequences across many others. This is particularly evident when a cyberattack in the power grid leads to widespread outages and disrupts essential societal services. To prevent such disasters, it is crucial that proactive actions are taken to secure our power grid control centers and digital substations. This is where digital twins (DTs) play an important role: By creating virtual replicas of cyberphysical assets and processes, DTs allow system operators to anticipate and address potential vulnerabilities in our cybersecurity defenses before they can be exploited. As such, a DT can be considered as a key contributor to safeguard the power system against cyberattacks. This article examines the potential future benefits of DTs in enabling a cybersecure and resilient power grid, explores multiple use cases, and proposes a path forward.

Cyber security risks are emerging in Cyber-Physical power Systems (CPS) due to the increasing integration of cyber and physical infrastructures. Critical component identification is a crucial task for the mitigation and prevention of catastrophic blackouts. In this paper, we propose a novel method using graph data mining for critical CPS components identification named GraphCCI. First, it defines two categories of component correlations to reveal the cascading features of CPS. GraphCCI maps cascading failure datasets under time-varying operational states into weighted cascading graphs and constructs a graph database for graph data mining. By adopting graph data mining techniques, frequent subgraphs are identified to construct the Cascading Characteristics Graph (CC-Graph). Finally, the Node Criticality Index (NC-Index) is proposed to quantify the criticality of each CPS component. The experimental results on the IEEE 39-bus system verify the effectiveness of the proposed method and present an in-depth analysis of the CPS cascading features.

The virtual integration of geographically distributed Research Infrastructures (RIs) for joint experiments in the domain of power and energy systems poses numerous challenges, particularly in terms of tool compatibility and user-friendliness. To address some of these challenges, this work presents the development and implementation of a laboratory-based middleware and data exchange service as part of the H2020 ERIGrid 2.0 project. The middleware comprises a suite of shared software tools and services designed to seamlessly integrate RIs including transport protocols as well as interface semantics. Specifically, this work details the development of a simplified and standardised interface known as the Universal Application Programming Interface (UAPI). It eliminates the need for users to grapple with the diverse intricacies of each individual RI, offering instead a tool-agnostic and standardised interface for conducting joint experiments. The work also presents and discusses the results of a real-world case study of a geographically distributed, sector-coupling experiment conducted between laboratories in Denmark, Greece, Italy, Netherlands, and Norway utilising the developed middleware.

High Voltage Direct Current (HVDC) technology is one of the key enablers of the energy transition, especially for offshore wind energy systems. While extensive research on cyber security of High Voltage Alternating Current (HVAC) systems has been conducted, limited research exists on cyber security aspects of HVDC systems. These systems exhibit unique attributes, in comparison to HVAC systems, such as longer transmission line distances and increased volume of data samples for wide-area monitoring, control, and protection applications. These factors lead to a higher vulnerability of HVDC systems to cyber attacks. Existing state-of-the-art HVDC surveys, however, are primarily focused on HVDC physical components and exclude cyber security elements. Therefore, this paper presents the first detailed survey on the cyber security of HVDC Cyber-Physical Systems (CPS). We present a comprehensive review of the state-of-the-art HVDC systems, with a special focus on cyber threats and vulnerabilities, defense and mitigation strategies, and testbeds. Based on the review and analysis, insights and recommendations on future research directions to address the research gaps in this field of study are provided. Future research on cyber security for HVDC systems should prioritize the integration of cyber and physical system data and focus on early-stage detection to mitigate the potentially severe impacts of cyber attacks on HVDC grids.

Power systems are undergoing rapid digitalization. This introduces new vulnerabilities and cyber threats in future Cyber-Physical Power Systems (CPPS). Some of the most notable incidents include the cyber attacks on the power grid in Ukraine in 2015, 2016, and 2022, which employed Advanced Persistent Threat (APT) strategies that took several months to reach their objectives and caused power outages. This highlights the urgent need for an in-depth analysis of APTs on CPPS. However, existing frameworks for analyzing cyber attacks, i.e., MITRE ATT&CK ICS and Cyber Kill Chain, have limitations in comprehensively analyzing APTs in CPPS environments. To address this gap, we propose a novel Advanced Cyber-Physical Power System (ACPPS) kill chain framework. The ACPPS kill chain identifies the APT characteristics that are unique to power systems. It defines and examines the cyber-physical APT stages spanning from the initial phases of infiltration to cascading failures and a power system blackout. The proposed ACPPS kill chain is validated with real-world APT attacks on the power grid in Ukraine in 2015 and 2016, and cyber-physical simulations.

Synthetic networks aim to generate realistic projections of real-world networks while concealing the actual system information. Researchers have mainly explored methods to create synthetic power systems. However, with the rapid power grid digitalization, new methods are needed for synthetic communication networks of cyber–physical power systems (CPPS). In this article, we propose a two-stage generative model for generating synthetic communication topologies of large-scale CPPS based on the existing power grids. It reproduces the existing communication network design process and is capable of generating statistically realistic networks. The proposed method is implemented to create a realistic, large-scale synthetic CPPS for the interconnected power grids in continental Europe. The method is validated by comparing the generated communication network with 18 realistic communication network topologies with different system sizes. The experimental results validate the scalability and effectiveness of the generative model.

Cascading failures in power systems are extremely rare occurrences caused by a combination of multiple, low probability events. The looming threat of cyberattacks on power grids, however, may result in unprecedented large-scale cascading failures, leading to a blackout. Therefore, new analysis methods are needed to study such cyber induced phenomena. In this article, we propose a data-driven method for dynamical analysis of power system cascading failures caused by cyberattacks. We provide experimental proof on how attacks may accelerate the cascading failure mechanism, in comparison to historically observed blackouts. Using a dynamic power grid model, consisting of multiple, coordinated protection schemes, we define and analyze the point of no return in a cascading failure sequence by applying the Hilbert-Huang transform for time-frequency analysis. Numerical results indicate, cyberattacks may accelerate cascading failures at least by a factor of 3x. This is due to the excitation and non-damping of multiple frequency modes greater than 1 Hz in a short time span. The proposed method is tested using time domain simulations conducted through a modified IEEE 39-bus test system, which can simulate cascading outages using coordinated protection schemes.

Cyber actors can target the unsecured IEC 61850 protocols in digital substations to open circuit breakers and affect the power system operation. Thus, system operators must detect cyber-physical anomalies and differentiate in real-time between power system faults and cyber attacks on digital substations for effective incident response. In this work, we propose a novel image encoding method for event correlation using cyber-physical time-series data, i.e., Phasor Measurement Units (PMUs) and Operational Technology (OT) network traffic. More specifically, we propose a dynamic variation of the Gramian Angular Field method, which generates image streams capturing in real-time the spatial-temporal features in PMU measurements and IEC 61850 GOOSE traffic throughput. The proposed method for cyber-physical event correlation uses an image fusion technique. The method is tested using the benchmark IEEE 9-bus system. It successfully distinguishes between three-phase faults and GOOSE cyber attacks, demonstrating its usefulness for power system cyber security analytics.